VPC & IP Topology¶
One shared VPC per region, sized /16 (DO max, 65,531 usable). A region's customer clusters, their resold DO Managed DBs, the telemetry VM droplets, and LBs all live in it. Tenant isolation is namespace + NetworkPolicy + the server-side query filter — not the VPC — so clusters share the regional VPC safely. Peerings scale with regions, not clusters: the control-plane VPC peers each regional VPC once (~12 peerings at 12 regions, far under DO's 50/account); that peering carries only the thin cross-region dashboard reads (§35.4), never the ingest firehose.
VPC-native DOKS (Cilium, K8s 1.31+) — required because customer pods must reach their Managed DB over the private network and (for the control plane) peered regional stores, with the resource seeing the pod IP (not a SNAT'd node IP). Each customer DB is isolated by scoping its Trusted Sources to the owning pod subnet.
IP plan (deliberate; subnets can't be resized after cluster creation):
| Range | Size | Holds |
|---|---|---|
| Regional node VPC | /16 |
cluster nodes + customer Managed DBs + LBs + telemetry droplets |
| Per-cluster pod subnet | /18 (128 nodes) |
pod IPs — ~8× headroom over the ~1,000-pod (≈10–16 node) cap |
| Per-cluster service subnet | /22 (1,024) |
K8s Services |
Pod/service subnets are separate ranges (not carved from the VPC /16), assigned non-overlapping from a systematic 10.0.0.0/8 scheme (skip DO's reserved 10.244/10.245/10.246/10.229 and DO's auto-suggest) and tracked in an IPAM allocation registry (§39.3 #46). A single /16 holds hundreds of clusters + tens of thousands of DBs before address space binds; the practical knobs as a region scales are the account soft-quotas (Droplets 25, Managed DB clusters 10 — raised via support, §39.3 #47) and, only at extreme scale, a second regional VPC (+1 peering).
Cross-references
Cluster topology (what runs in the VPC) → §4 · the traffic path that lands here → §5 · cross-region telemetry reads over peering → §35.4. Canonical map: Canonical Sources.